Browse Source

Fix some bugs

new-scoring
aeris 2 years ago
parent
commit
48cd65e6e2
3 changed files with 27 additions and 19 deletions
  1. 3
    0
      lib/cryptcheck/tls/cert.rb
  2. 16
    17
      lib/cryptcheck/tls/grade.rb
  3. 8
    2
      lib/cryptcheck/tls/server.rb

+ 3
- 0
lib/cryptcheck/tls/cert.rb View File

@@ -42,6 +42,9 @@ module CryptCheck
42 42
 					'id_GostR3411_94_with_GostR3410_94_cc'   => %i(ghost),
43 43
 					'id_GostR3411_94_with_GostR3410_2001_cc' => %i(ghost)
44 44
 			}
45
+			WEAK_SIGN = {
46
+					critical: %i(mdc2 md2 md4 md5 sha sha1)
47
+			}
45 48
 
46 49
 			%i(md2 mdc2 md4 md5 ripemd160 sha sha1 sha2 rsa dss ecc ghost).each do |name|
47 50
 				class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1

+ 16
- 17
lib/cryptcheck/tls/grade.rb View File

@@ -7,7 +7,7 @@ module CryptCheck
7 7
 				@server = server
8 8
 				@checks = checks
9 9
 				@states = calculate_states
10
-				@grade = calculate_grade
10
+				@grade  = calculate_grade
11 11
 			end
12 12
 
13 13
 			def display
@@ -68,22 +68,17 @@ module CryptCheck
68 68
 				'A+'
69 69
 			end
70 70
 
71
-			CHECKS = [
71
+			CHECKS = ([
72
+					# Certificates
73
+					[:weak_sign, Proc.new { |s|
74
+						Cert::WEAK_SIGN[:critical]
75
+					}, :critical],
76
+
72 77
 					# Keys
73
-					[:dss_sign, Proc.new { |s| s.dss_sig? }, :critical],
74
-					[:weak_key, Proc.new { |s| Status.problem s.key_status } ],
78
+					[:weak_key, Proc.new { |s| Status.problem s.keys.collect &:status }],
75 79
 
76 80
 					# DH
77
-					[:weak_dh, Proc.new { |s| Status.problem s.dh_status } ],
78
-
79
-					# Certificates
80
-					[:md2_sign, Proc.new { |s| s.md2_sig? }, :critical],
81
-					[:mdc2_sign, Proc.new { |s| s.mdc2_sig? }, :critical],
82
-					[:md4_sign, Proc.new { |s| s.md4_sig? }, :critical],
83
-					[:md5_sign, Proc.new { |s| s.md5_sig? }, :critical],
84
-					[:sha_sign, Proc.new { |s| s.sha_sig? }, :critical],
85
-
86
-					[:sha1_sign, Proc.new { |s| s.sha1_sig? }, :warning],
81
+					[:weak_dh, Proc.new { |s| Status.problem s.dh.collect &:status }],
87 82
 
88 83
 					# Protocols
89 84
 					[:ssl, Proc.new { |s| s.ssl? }, :critical],
@@ -111,14 +106,18 @@ module CryptCheck
111 106
 
112 107
 					[:aead, Proc.new { |s| s.aead? }, :good],
113 108
 					#[:aead_only, Proc.new { |s| s.aead_only? }, :best],
114
-			]
109
+			] + Cert::WEAK_SIGN.collect do |level, hashes|
110
+				hashes.collect do |hash|
111
+					["#{hash}_sig?".to_sym, Proc.new { |s| s.certs.any? &"#{hash}?".to_sym }, level ]
112
+				end
113
+			end.flatten(1)).freeze
115 114
 
116 115
 			def checks
117 116
 				checks = CHECKS
118 117
 				unless @server.fallback_scsv? == nil
119 118
 					checks += [
120
-						[:no_fallback_scsv, Proc.new { |s| not s.fallback_scsv? }, :error],
121
-						[:fallback_scsv, Proc.new { |s| s.fallback_scsv? }, :good]
119
+							[:no_fallback_scsv, Proc.new { |s| not s.fallback_scsv? }, :error],
120
+							[:fallback_scsv, Proc.new { |s| s.fallback_scsv? }, :good]
122 121
 					]
123 122
 				end
124 123
 				checks

+ 8
- 2
lib/cryptcheck/tls/server.rb View File

@@ -28,6 +28,8 @@ module CryptCheck
28 28
 			class ConnectionError < ::StandardError
29 29
 			end
30 30
 
31
+			attr_reader :certs, :keys, :dh
32
+
31 33
 			def initialize(hostname, family, ip, port)
32 34
 				@hostname, @family, @ip, @port = hostname, family, ip, port
33 35
 				@dh                            = []
@@ -48,6 +50,7 @@ module CryptCheck
48 50
 				check_fallback_scsv
49 51
 
50 52
 				verify_certs
53
+				exit
51 54
 			end
52 55
 
53 56
 			def supported_method?(method)
@@ -105,7 +108,7 @@ module CryptCheck
105 108
 									  ab      = ssl_client(method, [a, b]).cipher.first
106 109
 									  ba      = ssl_client(method, [b, a]).cipher.first
107 110
 									  if ab != ba
108
-										  Logger.info { "  #{method}  : " + 'client preference'.colorize(:warning) }
111
+										  Logger.info { "  #{method} : " + 'client preference'.colorize(:warning) }
109 112
 										  :client
110 113
 									  else
111 114
 										  sort        = -> (a, b) do
@@ -151,6 +154,7 @@ module CryptCheck
151 154
 			def fetch_supported_curves
152 155
 				Logger.info { '' }
153 156
 				Logger.info { 'Supported elliptic curves' }
157
+				@supported_curves = []
154 158
 
155 159
 				ecdsa_curve = @ecdsa_certs.keys.first
156 160
 				if ecdsa_curve
@@ -286,7 +290,7 @@ module CryptCheck
286 290
 			Cipher::TYPES.each do |type, _|
287 291
 				class_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
288 292
 					def #{type}?
289
-						supported_ciphers.any? { |c| c.#{type}? }
293
+						@supported_ciphers.any? { |c| c.#{type}? }
290 294
 					end
291 295
 				RUBY_EVAL
292 296
 			end
@@ -451,6 +455,8 @@ module CryptCheck
451 455
 				# Then, collect "ecdsa" connections
452 456
 				# { curve => connection, ... }
453 457
 				certs  += @ecdsa_certs.values
458
+				# For anonymous cipher, there is no certificate at all
459
+				certs = certs.reject { |c| c.peer_cert.nil? }
454 460
 				# Then, fetch cert
455 461
 				certs  = certs.collect { |c| Cert.new c }
456 462
 				# Then, filter cert to keep uniq fingerprint

Loading…
Cancel
Save